crowdstrike/ioc Dashboards | Integrations | LogScale Documentation

Skip to content

LogScale Documentation Full Library Knowledge Base Release Notes Integrations Training API GraphQL API Contacting Support

crowdstrike/ioc Dashboards

Domain overview

Widget	Description	Type
IOC geolocation	Location of client IP addresses present in IOC. Note - location of client IP does not always correlate with actual physical location of user or system Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| worldMap(ip=client_ip) // location of malicious client IP's`	`World Map`
Threat types	Pie chart showing breakdown of threat types (linked to client IP) Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| splitString(field="ioc.labels", by=",", as="ioc.labels") \| split("ioc.labels") \| regex(field="ioc.labels", regex="(^ThreatType\\/(?<value>.+)$)") \| groupBy(value)`	`Pie Chart`
Threat relationships	Links client IP IOC labels to the different values of each label Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| splitString(field="ioc.labels", by=",", as="ioc.labels") \| split("ioc.labels") \| regex(field="ioc.labels", regex="(?<category>^[^\/]+)\/(?<value>.+)$") \| sankey(source="category",target="value") // threat relationships`	`Sankey`
Actors	Pie chart showing breakdown of threat actors (linked to client IP) Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| splitString(field="ioc.labels", by=",", as="ioc.labels") \| split("ioc.labels") \| regex(field="ioc.labels", regex="(^Actor\\/(?<value>.+)$)") \| groupBy(value)`	`Pie Chart`
Kill chains	Pie chart showing breakdown of kill chain values (linked to client IP) Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| splitString(field="ioc.labels", by=",", as="ioc.labels") \| split("ioc.labels") \| regex(field="ioc.labels", regex="(^KillChain\\/(?<value>.+)$)") \| groupBy(value)`	`Pie Chart`
All threat details	Detailed information of all threats found in client IPs Hide Query Show Query logscale #logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| "ioc.malicious_confidence" match { unverified => icon := "\u2139 " ; low => icon := "\u2B07 " ; medium => icon := "\u26A0 " ; high => icon := "\u2757 " ; * => icon := " " ; } // icons to display for each malicious confidence \| concat(["icon", "ioc.malicious_confidence"], as="ioc.malicious_confidence") \| now := now() \| ioc_age := now - ioc.last_updated \| formatDuration(ioc_age, precision=2, as="ioc.age") \| groupBy(["ip_addr_IOC", "#repo", "ioc.type", "ioc.indicator", "ioc.malicious_confidence", "ioc.published_date", "ioc.last_updated", "ioc.age", "ioc.labels"]) // // all information regarding malicious client IP's \| formatTime(field="ioc.published_date", as="ioc.published_date", format="%Y-%m-%d %H:%M:%S") \| formatTime(field="ioc.last_updated", as="ioc.last_updated", format="%Y-%m-%d %H:%M:%S")	`Table`
Malware	Pie chart showing breakdown of malware types (linked to client IP) Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| splitString(field="ioc.labels", by=",", as="ioc.labels") \| split("ioc.labels") \| regex(field="ioc.labels", regex="(^Malware\\/(?<value>.+)$)") \| groupBy(value)`	`Pie Chart`
note-1624965575450	# All Details The table below shows details of all the threats found, irrespective of the threshold filter applied. Click on the various aspects of these results to drill down into the raw events	`Note`

IP overview

Widget	Description	Type
IOC geolocation	Location of client IP addresses present in IOC. Note - location of client IP does not always correlate with actual physical location of user or system Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| worldMap(ip=client_ip) // location of malicious client IP's`	`World Map`
Threat types	Pie chart showing breakdown of threat types (linked to client IP) Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| splitString(field="ioc.labels", by=",", as="ioc.labels") \| split("ioc.labels") \| regex(field="ioc.labels", regex="(^ThreatType\\/(?<value>.+)$)") \| groupBy(value)`	`Pie Chart`
Threat relationships	Links client IP IOC labels to the different values of each label Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| splitString(field="ioc.labels", by=",", as="ioc.labels") \| split("ioc.labels") \| regex(field="ioc.labels", regex="(?<category>^[^\/]+)\/(?<value>.+)$") \| sankey(source="category",target="value") // threat relationships`	`Sankey`
Actors	Pie chart showing breakdown of threat actors (linked to client IP) Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| splitString(field="ioc.labels", by=",", as="ioc.labels") \| split("ioc.labels") \| regex(field="ioc.labels", regex="(^Actor\\/(?<value>.+)$)") \| groupBy(value)`	`Pie Chart`
Kill chains	Pie chart showing breakdown of kill chain values (linked to client IP) Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| splitString(field="ioc.labels", by=",", as="ioc.labels") \| split("ioc.labels") \| regex(field="ioc.labels", regex="(^KillChain\\/(?<value>.+)$)") \| groupBy(value)`	`Pie Chart`
All threat details	Detailed information of all threats found in client IPs Hide Query Show Query logscale #logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| "ioc.malicious_confidence" match { unverified => icon := "\u2139 " ; low => icon := "\u2B07 " ; medium => icon := "\u26A0 " ; high => icon := "\u2757 " ; * => icon := " " ; } // icons to display for each malicious confidence \| concat(["icon", "ioc.malicious_confidence"], as="ioc.malicious_confidence") \| now := now() \| ioc_age := now - ioc.last_updated \| formatDuration(ioc_age, precision=2, as="ioc.age") \| groupBy(["ip_addr_IOC", "#repo", "ioc.type", "ioc.indicator", "ioc.malicious_confidence", "ioc.published_date", "ioc.last_updated", "ioc.age", "ioc.labels"]) // // all information regarding malicious client IP's \| formatTime(field="ioc.published_date", as="ioc.published_date", format="%Y-%m-%d %H:%M:%S") \| formatTime(field="ioc.last_updated", as="ioc.last_updated", format="%Y-%m-%d %H:%M:%S")	`Table`
Malware	Pie chart showing breakdown of malware types (linked to client IP) Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| splitString(field="ioc.labels", by=",", as="ioc.labels") \| split("ioc.labels") \| regex(field="ioc.labels", regex="(^Malware\\/(?<value>.+)$)") \| groupBy(value)`	`Pie Chart`
note-1624965575450	# All Details The table below shows details of all the threats found, irrespective of the threshold filter applied. Click on the various aspects of these results to drill down into the raw events	`Note`

Overview

Widget	Description	Type
Threat attributes	Displays a flow chart of threat attributes based on URL, IP and domain data. Hide Query Show Query logscale \| ioc:lookup([/insert field names containing URLs here/], type="url", strict="false", confidenceThreshold=?threshold) \| ioc:lookup([/insert field names containing IP addresses here/], type="ip_address", strict="false", confidenceThreshold=?threshold) \| ioc:lookup([/insert field names containing domains here/], type="domain", strict="false", confidenceThreshold=?threshold) \| ioc.detected = true \| split("ioc") \| splitString(field="ioc.labels", by=",", as="ioc.labels") \| split("ioc.labels") \| regex(field="ioc.labels", regex="(?<label>^[^\/]+)\/(?<value>.+)$") \| sankey(source="label", target="value")	`Sankey`
Threat severity over time	Displays threat severity over time using URL, IP address, and domain. Hide Query Show Query logscale `\| ioc:lookup([/insert field names containing URLs here/], type="url", strict="false", confidenceThreshold=?threshold) \| ioc:lookup([/insert field names containing IP addresses here/], type="ip_address", strict="false", confidenceThreshold=?threshold) \| ioc:lookup([/insert field names containing domains here/], type="domain", strict="false", confidenceThreshold=?threshold) \| ioc.detected = true \| split("ioc") \| timechart(ioc.malicious_confidence, span=1h)`	`Time Chart`
Threats by confidence	Displays a list of threats by confidence level based on URLs, IP addresses, and domains. Hide Query Show Query logscale `\| ioc:lookup([/insert field names containing URLs here/], type="url", strict="false", confidenceThreshold=?threshold) \| ioc:lookup([/insert field names containing IP addresses here/], type="ip_address", strict="false", confidenceThreshold=?threshold) \| ioc:lookup([/insert field names containing domains here/], type="domain", strict="false", confidenceThreshold=?threshold) \| ioc.detected = true \| split("ioc") \| groupBy(["ioc.malicious_confidence"])`	`Pie Chart`
Guide	Please use these dashboards as inspiration on building your own security insights. To get started, edit the queries in the widget to insert the right field names you want to look up IOC matches on.	`Note`

URL overview

Widget	Description	Type
IOC geolocation	Location of client IP addresses present in IOC. Note - location of client IP does not always correlate with actual physical location of user or system Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| worldMap(ip=client_ip) // location of malicious client IP's`	`World Map`
Threat types	Pie chart showing breakdown of threat types (linked to client IP) Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| splitString(field="ioc.labels", by=",", as="ioc.labels") \| split("ioc.labels") \| regex(field="ioc.labels", regex="(^ThreatType\\/(?<value>.+)$)") \| groupBy(value)`	`Pie Chart`
Threat relationships	Links client IP IOC labels to the different values of each label Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| splitString(field="ioc.labels", by=",", as="ioc.labels") \| split("ioc.labels") \| regex(field="ioc.labels", regex="(?<category>^[^\/]+)\/(?<value>.+)$") \| sankey(source="category",target="value") // threat relationships`	`Sankey`
Actors	Pie chart showing breakdown of threat actors (linked to client IP) Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| splitString(field="ioc.labels", by=",", as="ioc.labels") \| split("ioc.labels") \| regex(field="ioc.labels", regex="(^Actor\\/(?<value>.+)$)") \| groupBy(value)`	`Pie Chart`
Kill chains	Pie chart showing breakdown of kill chain values (linked to client IP) Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| splitString(field="ioc.labels", by=",", as="ioc.labels") \| split("ioc.labels") \| regex(field="ioc.labels", regex="(^KillChain\\/(?<value>.+)$)") \| groupBy(value)`	`Pie Chart`
All threat details	Detailed information of all threats found in client IPs Hide Query Show Query logscale #logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| "ioc.malicious_confidence" match { unverified => icon := "\u2139 " ; low => icon := "\u2B07 " ; medium => icon := "\u26A0 " ; high => icon := "\u2757 " ; * => icon := " " ; } // icons to display for each malicious confidence \| concat(["icon", "ioc.malicious_confidence"], as="ioc.malicious_confidence") \| now := now() \| ioc_age := now - ioc.last_updated \| formatDuration(ioc_age, precision=2, as="ioc.age") \| groupBy(["ip_addr_IOC", "#repo", "ioc.type", "ioc.indicator", "ioc.malicious_confidence", "ioc.published_date", "ioc.last_updated", "ioc.age", "ioc.labels"]) // // all information regarding malicious client IP's \| formatTime(field="ioc.published_date", as="ioc.published_date", format="%Y-%m-%d %H:%M:%S") \| formatTime(field="ioc.last_updated", as="ioc.last_updated", format="%Y-%m-%d %H:%M:%S")	`Table`
Malware	Pie chart showing breakdown of malware types (linked to client IP) Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| splitString(field="ioc.labels", by=",", as="ioc.labels") \| split("ioc.labels") \| regex(field="ioc.labels", regex="(^Malware\\/(?<value>.+)$)") \| groupBy(value)`	`Pie Chart`
note-1624965575450	# All Details The table below shows details of all the threats found, irrespective of the threshold filter applied. Click on the various aspects of these results to drill down into the raw events	`Note`

Enter search term